Not impressed Anderson! AB still requests Favicon over port 80, even though I have set up AB to use port 8080.

This is a security vulnerability because it can expose your real IP address when you think you are using a proxy!

What needs to be done to get this MAJOR BUG fixed ???????

Anderson, You asked for an explanation of how I found out that AB was leaking information and I gave you proof which could not be refuted!

If you don't plan on fixing this *SECURITY VULNERABILITY IN AB* then at least have the decency to reply here as to your reasoning, although there is no excuse for leavining vulnerabilities in apps unless you are somehow profiting from it!!!

I have given you reproducible steps, and I knoiw for a fact that it would take all of 5 (yes five) minutes to fix!

*** AB IS NOT A SECURE BROWSER !!!!! *******

I expect this post to be deleted due to the truthful nature of its content, but I will continue to publish it again, and again, and again......., until it is fixed!

I would know because I have looked at the assembly code of AB, after dis-assembling it (illegal though it may be!).

That's exactly the kind of response I expected from an AB fan/mod! I'm pointing out a serious flaw in AB, and you can only criticise me for doing so.

Granted _DrDrrae_ there are workarounds, but is it really acceptable for an Internet Web browser to have such a big flaw ?

By big, I mean that AB indicates it's sending all traffic through a proxy, but at the same time sending out requests over a port which the user has no control, and witrhout any indication that it's doing something underhand! (which it is!)

I'm sorry, but anyone who defends this kind of behaviour is either being payed by Anderson, or does not respect privacy!!!

I like AB, but at the same time would think twice about using a web browser whose author thinks it's more important to sort out issues like

I see a minor flaw. When I move the mouse over an image I get that image menu bar showing up, which is fine. But if I move the mouse over an image and quickly right click the right click context menu comes up but then the image menu bar also shows up, sometimes under and sometimes over the context menu. Although the menu bar disappears shortly anyway if I don't use it, I think it would be better if the image menu bar didn't show up at all if the right click context menu is already up.

Last edited by gary100856 on Fri Jun 24, 2005 8:42 am, edited 1 time in total.

Defenestration wrote:This is a security vulnerability because it can expose your real IP address when you think you are using a proxy!

What needs to be done to get this MAJOR BUG fixed ???????

I'd say that relying on a proxy as a "security" measure is like putting an opaque bag on one's head and pretending there's nothing out there since you cannot see anything Even being behind a NAT server is insecure...

That's not to say that bypassing the proxy for favicons if a proxy has been specified is good, but that's definitely NEITHER a security issue NOR a major bug (I, for one, don't use a proxy and probably many other users don't), at most it can be an annoyance for you; if this issue has not been dealt with yet, there probably are other problems to tackle before. If you are so afraid, then block port 80 on your firewall so that no traffic can pass through it and let all http traffic through to your proxy on 8080.

abfan123 wrote:Try to use some proxy server and go to http://whatismyip.com with any browser (Firefox/Mozilla/Opera/Internet Explorer/Avant Browser)

Even if I'm using the "anonymous proxy server" or even "highly anonymous" and programs like ProxyWay,whatismyip.com still show me 2 IPs1 my real IP and another IP of the proxy server that I'm using

So...Where's the vulnerability exists?

I can't speak about other anonymous proxy servers because I don't use them, but when I use Anonymizer as my Anonymous proxy and go to http://whatismyip.com or http://www.ipchicken.com (or any other website that shows your real IP address), only my anonymous proxy IP address is shown, and not my real IP address.

The vulnerability exists because my real IP address is exposed every time a Favicon is requested by AB.

robc wrote:I'd say that relying on a proxy as a "security" measure is like putting an opaque bag on one's head and pretending there's nothing out there since you cannot see anything Shocked Even being behind a NAT server is insecure...

Granted nothing is totally secure, but does that mean you should not use a firewall, AV etc. because they are not perfect ?! Not at all. It just means you should be aware of the limitations. As with all types of security it should be used as part of a layered defence.

An anonymous proxy service allows you to hide your real IP address from the sites you visit through it. You do expose your real IP address to the anonymous proxy servers, but IMO it's better to only expose your real IP address to a single entity than to multiple entities.

robc wrote:That's not to say that bypassing the proxy for favicons if a proxy has been specified is good, but that's definitely NEITHER a security issue NOR a major bug (I, for one, don't use a proxy and probably many other users don't), at most it can be an annoyance for you; if this issue has not been dealt with yet, there probably are other problems to tackle before.

I just don't see how you can say a compromise of your privacy, by your real IP address being exposed (unknowingly to most users unless they are aware of this problem), is not a security issue or a major issue. While you and many others don't use a proxy, there are also many people who probably do use a proxy.

An issue like this should go straight to the top of the ToDo list, and be given highest priority.

I agree that this needs to fixed, but by claiming that it must be some sort of plot you're not exactly winning people over by your arguments.

The problem is that not enough people care about this issue. Most people don't value anonymity on the web. Look below here - there's my website address. If you go there you can find my personal phone number. The vast majority of of people aren't concerned, so this flaw has no priority.

But it is a serious flaw. If people think they're anonymous then they should be, even if there aren't many of them. It ought to be fixed as soon as possible.

You cannot be completely anonymous on the Net even if you're using some of the anonymizers out there: the plain simple fact is that somewhere the mapping of your real IP to the "anonymous" one is recorded and can be retrieved, some way or the other. Probably, the maximum "anonymity" one may get is to browse for a few minutes in an internet cafe in another town (better, in another country) while there's nobody in there, then jump on a train and leave for somewhere else And please, in such a case, don't ever browse to password-protected sites using your true-life account...

I'm afraid the best security nowadays lies in using a fully patched system (whatever the OS, each and every one of them has its own set of problems) behind a dedicated firewall (hardware or IPCop-like) and with "good" browsing habits; the best privacy, using the above system with cookies switched off except for those few cases in which you need them (e.g. online transactions, forums, etc.). Whatever your ISP, there are bound to be logs everywhere, stored for several years at least to comply with the law, so there actually are very few instances in which you may do something that others cannot "trace" if they really want to.

What that means is, don't do anything on the net that you don't want someone else to know about. Just as in real life, we have to live our lives as tho someone is looking over our shoulder--the metaphor can be religious or not, as you like. Obviously there are a lot of people who have fooled themselves into thinking that they are truly untouchable on the net--that they can say and do all kinds of things in the virtual world that they would sneak around about in the real world. What happens when the two worlds meet can be disastrous, whether it's a terrorist plan or a pedophile.

While I'm very careful about personal info like credit card #'s I do rely on secure servers when I shop on line and password protect the data on my computer. Beyond that kind of thing I don't do anything on-line that would do damage to anyone in either the virtual or the real world. I might embarrass myself occasionally, but, hopefully, I've never knowingly harmed anyone else. IMHO folks who are out to do harm forfeit their rights to privacy. When people start talking about plots, I immediately wonder what they are trying to hide...............

Yes I would have to agree that this bug, while minor in many respects, is a deal breaker for anyone who surfs anonymously, including me. I used Avant Browser for a while and liked it very much but not having the ability to use it with the proxy made me switch to Firefox.
I actually just registered to find out about this and saw this thread so I figured I may as well include myself in the ones that see this as a deal breaker. Great browser otherwise though!

IMHO folks who are out to do harm forfeit their rights to privacy. When people start talking about plots, I immediately wonder what they are trying to hide...............

Maybe so, but that would also mean that people doing no harm also lose their privacy, and why shouldn't law abiding people have privacy?
Thanks,
Paul

tmpusr wrote:Yes I would have to agree that this bug, while minor in many respects, is a deal breaker for anyone who surfs anonymously, including me. I used Avant Browser for a while and liked it very much but not having the ability to use it with the proxy made me switch to Firefox.I actually just registered to find out about this and saw this thread so I figured I may as well include myself in the ones that see this as a deal breaker. Great browser otherwise though!

IMHO folks who are out to do harm forfeit their rights to privacy. When people start talking about plots, I immediately wonder what they are trying to hide...............

Maybe so, but that would also mean that people doing no harm also lose their privacy, and why shouldn't law abiding people have privacy?Thanks,Paul

As you may see from the changelog of the next beta build , This bug has been corrected quite long ago.
So what's the point to discuss it now?

IE8(Pro), Microsoft Security EssentialsMain PC:Secondary PC same as primary but with Windows 7 x64 Ultimate as the OS.